multi-turn-runtime-adapters

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content contains several deliberate patterns that weaken runtime isolation and approval checks (e.g., "danger-full-access", "approvalPolicy: 'never'", auto-approve callbacks, permissionMode: 'bypassPermissions', passing process.env to child processes, and automatic copying of agent templates into workspaces) which together enable remote command execution, broad filesystem/network access, and easy exfiltration of sensitive data — these are high-risk enabling behaviors even if not an explicit payload/backdoor.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly exposes the agent to arbitrary public web content—e.g., allowedTools includes "WebSearch" and "WebFetch" in the Claude allowedTools list and Codex turn input supports external image URLs ("{ type: 'image', 'url': 'https://...' }" in the Codex app-server section of SKILL.md)—and those tool results are normalized and fed back into the agent workflow, so untrusted third-party content can influence subsequent tool use and decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly instructs disabling sandboxing and approval checks (e.g., "danger-full-access", "approvalPolicy: 'never'", "--dangerously-bypass-approvals-and-sandbox" and permissionMode: 'bypassPermissions'), which is guidance to bypass security mechanisms and grant full filesystem/network access, enabling potentially dangerous state-changing actions.